Welcome to Sprout ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience using our app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Sprout mobile application.
By using Sprout, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our app.
1. Information We Collect
1.1 Information You Provide
Account Information:
Email address (if you create an account)
Password (encrypted and never stored in plain text)
Name (optional, for personalization)
OAuth provider information (if you sign in with Google or Apple)
App Usage Data:
Tasks you create (title, notes, due dates, priority)
Pet customization (pet type, name, pronouns)
App settings and preferences
Completion history and productivity statistics
1.2 Information Automatically Collected
Device Information:
Device type and model
Operating system version
Unique device identifiers
App version
Usage Analytics:
App interactions and feature usage
Session duration
Error logs and crash reports
Performance metrics
1.3 Information We Do NOT Collect
We do NOT:
Track your location
Access your contacts
Access your camera or photos (unless you explicitly grant permission for specific features)
Share your data with third-party advertisers
Sell your personal information
2. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
Consent: When you create an account, use AI features, or enable analytics, you provide explicit consent for data processing. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Contract: To provide services you've signed up for, including account creation, task syncing, and premium features.
Legitimate Interest: To improve the app, prevent fraud and abuse, maintain security, and optimize performance. We ensure our legitimate interests do not override your rights and freedoms.
Legal Obligation: To comply with laws and regulations, respond to legal requests, and enforce our Terms of Service.
3. How We Use Your Information
3.1 Provide Core Services
Create and maintain your account
Sync your tasks and data across devices
Save your pet's progress and customization
Process your subscription (if you upgrade to Premium)
3.2 Improve User Experience
Personalize app content and features
Remember your preferences and settings
Provide AI-powered task recommendations (with your consent when using AI features)
3.3 Maintain App Functionality
Monitor app performance and fix bugs
Prevent fraud and abuse
Respond to user support requests
Send essential service updates
3.4 AI Features (With Your Explicit Consent)
When you actively choose to use AI-powered features (Task Breakdown, Brain Dump, "What Should I Do Now?"):
Your task data is sent to OpenAI's API for processing
We do not store AI-generated content longer than necessary to deliver the service
You can choose not to use AI features at any time without affecting core app functionality
Automated Decision-Making: Our AI features provide suggestions and recommendations but do not make automated decisions that significantly affect you legally or similarly. You maintain full control over all tasks and decisions within the app.
4. How We Share Your Information
We do NOT sell your personal information. We only share data in these limited circumstances:
4.1 Service Providers (Data Processors)
We share data with trusted service providers who process data on our behalf under strict contractual obligations:
Supabase (database and authentication)
Purpose: Stores your account and app data
Location: AWS infrastructure, with servers in the United States
Safeguards: Standard Contractual Clauses (SCCs), encryption, role-based access controls
OpenAI (AI features)
Purpose: Processes task data when you use AI features (with your consent)
Location: United States
Safeguards: Data Processing Agreement, OpenAI's privacy commitments
RevenueCat (subscription management)
Purpose: Processes and manages premium subscriptions
Location: United States
Safeguards: Data Processing Agreement, industry-standard security
Google/Apple (OAuth authentication)
Purpose: Secure authentication when you choose to sign in with these services
Location: Global infrastructure
Safeguards: Subject to Google and Apple Privacy Policies
All service providers are contractually required to:
Process data only on our instructions
Implement appropriate security measures
Not use your data for their own purposes
Comply with GDPR requirements for data processors
4.2 Legal Requirements
We may disclose your information if required by law, court order, or to:
Comply with legal processes or governmental requests
Enforce our Terms of Service
Protect our rights, property, or safety, or that of our users
Prevent fraud, security threats, or illegal activities
4.3 Business Transfers
If Sprout is acquired, merged with another company, or undergoes a business restructuring, your information may be transferred as part of that transaction. You will be notified via email and/or prominent notice in the app at least 30 days before any such transfer, with an opportunity to delete your data before the transfer.
5. International Data Transfers
If you use Sprout from outside the United States:
Your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.
We ensure adequate protection for international transfers through:
Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all processors handling EU/UK personal data
Technical and organizational security measures equivalent to GDPR standards
Regular assessments of data transfer mechanisms to ensure compliance with EU Court of Justice rulings
Note: We do not rely on the EU-U.S. Privacy Shield, which was invalidated in 2020.
6. Data Storage and Security
6.1 Where We Store Data
Cloud Storage: Your data is stored securely on Supabase servers (AWS infrastructure)
Local Storage: Some data is cached locally on your device for offline access
Server Location: Primary servers are located in the United States
6.2 How We Protect Data
We implement industry-standard security measures:
All data is encrypted in transit (HTTPS/TLS 1.2+)
Database is encrypted at rest (AES-256)
Passwords are hashed using bcrypt or similar algorithms
Regular security audits and penetration testing
Role-based access controls (Row Level Security)
Multi-factor authentication for administrative access
Regular security updates and patch management
Staff training on data protection and security
6.3 Data Retention
Active accounts: Data retained as long as your account is active and for legitimate business purposes
Deleted accounts: Personal data deleted within 14 days of account deletion request, unless we have a legal obligation to retain it
Completed tasks:
Free users: Auto-deleted after 7 days
Premium users: Customizable retention (up to 1 year)
Backups: Retained for up to 90 days for disaster recovery, then permanently deleted
Legal holds: If data is subject to legal proceedings, it may be retained beyond standard periods until the legal matter is resolved
6.4 Data Breach Notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:
We will notify:
The relevant supervisory authority within 72 hours of becoming aware of the breach
You directly via email within 72 hours if the breach poses a high risk to you
You have the following rights regarding your personal data:
Right of Access: You can request a copy of all personal data we hold about you
Right to Rectification: You can correct inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data
Right to Data Portability: You can receive your data in a structured, machine-readable format and transfer it to another service
Right to Restrict Processing: You can limit how we use your data in certain circumstances
Right to Object: You can object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: You can withdraw consent at any time without affecting prior processing
Right Not to be Subject to Automated Decision-Making: You have rights regarding automated decisions with significant effects (our AI features do not make such decisions)
Right to Lodge a Complaint: You can file a complaint with your local supervisory authority
7.2 How to Exercise Your Rights
In-app:
Settings → Account → Manage Data (access, update, export data)
Settings → Privacy → Manage Consents (withdraw specific consents)
We will respond to privacy requests within 30 days (as required by GDPR)
We may extend this by 60 additional days for complex requests (we'll inform you within the first 30 days)
We will verify your identity before processing requests
Free of Charge:
The first request is free
Excessive or repetitive requests may incur a reasonable administrative fee
7.3 Withdrawing Consent
You can withdraw consent for specific data processing activities without deleting your account:
Analytics: Settings → Privacy → Disable Analytics AI Features: Simply don't use AI features; no data is sent unless you actively use them Marketing Communications: Unsubscribe links in emails or Settings → Notifications
Withdrawing consent does not affect:
Processing based on other legal bases (contract, legitimate interest, legal obligation)
The lawfulness of processing before consent was withdrawn
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For California Users (CCPA):
Right to know what data is collected
Right to delete personal information
Right to opt-out of data sales (we don't sell data)
Right to non-discrimination for exercising rights
8. Children's Privacy
Sprout is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 (or under 16 for EU/UK users without parental consent).
If you believe we have collected data from a child under the applicable age:
Apple App Store: Processes iOS in-app purchases Google Play Store: Processes Android in-app purchases RevenueCat: Manages subscription status
We do NOT store your payment information (credit cards, billing details, etc.). All payment processing is handled directly by Apple, Google, or their authorized processors.
10. Cookies and Tracking
10.1 What We Use
Local Storage: To save your settings and preferences on your device
Authentication Tokens: To keep you logged in securely
Analytics Cookies (with consent): To understand how features are used (anonymized)
10.2 What We Don't Use
We do NOT use:
Advertising cookies
Cross-site tracking
Third-party advertising networks
Tracking pixels for marketing
10.3 Your Control
You can manage cookie preferences in Settings → Privacy. Note that disabling certain cookies may affect app functionality.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.
How we notify you of significant changes:
In-app notification with summary of changes
Email notification to registered users at least 30 days before changes take effect
Updated "Last Updated" date at the top of this policy
What constitutes a significant change:
Changes to data collection practices
New data sharing arrangements
Changes to your rights or how to exercise them
Material changes to data retention or security
Your options:
Review changes and continue using Sprout (constitutes acceptance)
Contact us with questions or concerns
Exercise your right to delete your account if you disagree with changes
For non-significant changes: We will update the policy and date without advance notice.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy:
The DPO is responsible for overseeing our data protection strategy and GDPR compliance
Summary
What we collect: Email, tasks, pet data, usage analytics (with consent)
Why we collect it: To provide the app, sync across devices, improve features
Who we share with: Only essential service providers (Supabase, OpenAI for AI features, payment processors) under strict contractual protections
Your rights: Access, update, export, delete your data, withdraw consent, object to processing, lodge complaints
Our commitment: We never sell your data, never show you ads, and protect your privacy with strong security measures
Legal basis: Consent, contract performance, legitimate interests, and legal obligations
Your control: You can withdraw consent, delete your account, or exercise any GDPR right at any time
Effective Date
This Privacy Policy is effective as of February 2, 2025 and applies to all users of the Sprout mobile application.
Thank you for trusting Sprout with your data. Your privacy matters to us.
Version History
v2.0 (February 2, 2025): Updated for full GDPR compliance, removed Privacy Shield reference, added data breach notification procedures, clarified consent withdrawal mechanisms, added supervisory authority details
v1.0 (Initial version): Original privacy policy
Privacy Policy for Sprout
Last Updated: February 2, 2025
Introduction
Welcome to Sprout ("we," "our," or "us"). We are committed to protecting your privacy and ensuring you have a positive experience using our app. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Sprout mobile application.
By using Sprout, you agree to the collection and use of information in accordance with this policy. If you do not agree with this policy, please do not use our app.
1. Information We Collect
1.1 Information You Provide
Account Information:
Email address (if you create an account)
Password (encrypted and never stored in plain text)
Name (optional, for personalization)
OAuth provider information (if you sign in with Google or Apple)
App Usage Data:
Tasks you create (title, notes, due dates, priority)
Pet customization (pet type, name, pronouns)
App settings and preferences
Completion history and productivity statistics
1.2 Information Automatically Collected
Device Information:
Device type and model
Operating system version
Unique device identifiers
App version
Usage Analytics:
App interactions and feature usage
Session duration
Error logs and crash reports
Performance metrics
1.3 Information We Do NOT Collect
We do NOT:
Track your location
Access your contacts
Access your camera or photos (unless you explicitly grant permission for specific features)
Share your data with third-party advertisers
Sell your personal information
2. Legal Basis for Processing (GDPR)
We process your personal data based on the following legal grounds:
Consent: When you create an account, use AI features, or enable analytics, you provide explicit consent for data processing. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Contract: To provide services you've signed up for, including account creation, task syncing, and premium features.
Legitimate Interest: To improve the app, prevent fraud and abuse, maintain security, and optimize performance. We ensure our legitimate interests do not override your rights and freedoms.
Legal Obligation: To comply with laws and regulations, respond to legal requests, and enforce our Terms of Service.
3. How We Use Your Information
3.1 Provide Core Services
Create and maintain your account
Sync your tasks and data across devices
Save your pet's progress and customization
Process your subscription (if you upgrade to Premium)
3.2 Improve User Experience
Personalize app content and features
Remember your preferences and settings
Provide AI-powered task recommendations (with your consent when using AI features)
3.3 Maintain App Functionality
Monitor app performance and fix bugs
Prevent fraud and abuse
Respond to user support requests
Send essential service updates
3.4 AI Features (With Your Explicit Consent)
When you actively choose to use AI-powered features (Task Breakdown, Brain Dump, "What Should I Do Now?"):
Your task data is sent to OpenAI's API for processing
We do not store AI-generated content longer than necessary to deliver the service
You can choose not to use AI features at any time without affecting core app functionality
Automated Decision-Making: Our AI features provide suggestions and recommendations but do not make automated decisions that significantly affect you legally or similarly. You maintain full control over all tasks and decisions within the app.
4. How We Share Your Information
We do NOT sell your personal information. We only share data in these limited circumstances:
4.1 Service Providers (Data Processors)
We share data with trusted service providers who process data on our behalf under strict contractual obligations:
Supabase (database and authentication)
Purpose: Stores your account and app data
Location: AWS infrastructure, with servers in the United States
Safeguards: Standard Contractual Clauses (SCCs), encryption, role-based access controls
OpenAI (AI features)
Purpose: Processes task data when you use AI features (with your consent)
Location: United States
Safeguards: Data Processing Agreement, OpenAI's privacy commitments
RevenueCat (subscription management)
Purpose: Processes and manages premium subscriptions
Location: United States
Safeguards: Data Processing Agreement, industry-standard security
Google/Apple (OAuth authentication)
Purpose: Secure authentication when you choose to sign in with these services
Location: Global infrastructure
Safeguards: Subject to Google and Apple Privacy Policies
All service providers are contractually required to:
Process data only on our instructions
Implement appropriate security measures
Not use your data for their own purposes
Comply with GDPR requirements for data processors
4.2 Legal Requirements
We may disclose your information if required by law, court order, or to:
Comply with legal processes or governmental requests
Enforce our Terms of Service
Protect our rights, property, or safety, or that of our users
Prevent fraud, security threats, or illegal activities
4.3 Business Transfers
If Sprout is acquired, merged with another company, or undergoes a business restructuring, your information may be transferred as part of that transaction. You will be notified via email and/or prominent notice in the app at least 30 days before any such transfer, with an opportunity to delete your data before the transfer.
5. International Data Transfers
If you use Sprout from outside the United States:
Your data may be transferred to and processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.
We ensure adequate protection for international transfers through:
Standard Contractual Clauses (SCCs) approved by the European Commission
Data Processing Agreements with all processors handling EU/UK personal data
Technical and organizational security measures equivalent to GDPR standards
Regular assessments of data transfer mechanisms to ensure compliance with EU Court of Justice rulings
Note: We do not rely on the EU-U.S. Privacy Shield, which was invalidated in 2020.
6. Data Storage and Security
6.1 Where We Store Data
Cloud Storage: Your data is stored securely on Supabase servers (AWS infrastructure)
Local Storage: Some data is cached locally on your device for offline access
Server Location: Primary servers are located in the United States
6.2 How We Protect Data
We implement industry-standard security measures:
All data is encrypted in transit (HTTPS/TLS 1.2+)
Database is encrypted at rest (AES-256)
Passwords are hashed using bcrypt or similar algorithms
Regular security audits and penetration testing
Role-based access controls (Row Level Security)
Multi-factor authentication for administrative access
Regular security updates and patch management
Staff training on data protection and security
6.3 Data Retention
Active accounts: Data retained as long as your account is active and for legitimate business purposes
Deleted accounts: Personal data deleted within 14 days of account deletion request, unless we have a legal obligation to retain it
Completed tasks:
Free users: Auto-deleted after 7 days
Premium users: Customizable retention (up to 1 year)
Backups: Retained for up to 90 days for disaster recovery, then permanently deleted
Legal holds: If data is subject to legal proceedings, it may be retained beyond standard periods until the legal matter is resolved
6.4 Data Breach Notification
In the unlikely event of a personal data breach that poses a risk to your rights and freedoms:
We will notify:
The relevant supervisory authority within 72 hours of becoming aware of the breach
You directly via email within 72 hours if the breach poses a high risk to you
You have the following rights regarding your personal data:
Right of Access: You can request a copy of all personal data we hold about you
Right to Rectification: You can correct inaccurate or incomplete data
Right to Erasure ("Right to be Forgotten"): You can request deletion of your personal data
Right to Data Portability: You can receive your data in a structured, machine-readable format and transfer it to another service
Right to Restrict Processing: You can limit how we use your data in certain circumstances
Right to Object: You can object to processing based on legitimate interests or for direct marketing
Right to Withdraw Consent: You can withdraw consent at any time without affecting prior processing
Right Not to be Subject to Automated Decision-Making: You have rights regarding automated decisions with significant effects (our AI features do not make such decisions)
Right to Lodge a Complaint: You can file a complaint with your local supervisory authority
7.2 How to Exercise Your Rights
In-app:
Settings → Account → Manage Data (access, update, export data)
Settings → Privacy → Manage Consents (withdraw specific consents)
We will respond to privacy requests within 30 days (as required by GDPR)
We may extend this by 60 additional days for complex requests (we'll inform you within the first 30 days)
We will verify your identity before processing requests
Free of Charge:
The first request is free
Excessive or repetitive requests may incur a reasonable administrative fee
7.3 Withdrawing Consent
You can withdraw consent for specific data processing activities without deleting your account:
Analytics: Settings → Privacy → Disable Analytics AI Features: Simply don't use AI features; no data is sent unless you actively use them Marketing Communications: Unsubscribe links in emails or Settings → Notifications
Withdrawing consent does not affect:
Processing based on other legal bases (contract, legitimate interest, legal obligation)
The lawfulness of processing before consent was withdrawn
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
For California Users (CCPA):
Right to know what data is collected
Right to delete personal information
Right to opt-out of data sales (we don't sell data)
Right to non-discrimination for exercising rights
8. Children's Privacy
Sprout is intended for users aged 13 and older. We do not knowingly collect personal information from children under 13 (or under 16 for EU/UK users without parental consent).
If you believe we have collected data from a child under the applicable age:
Apple App Store: Processes iOS in-app purchases Google Play Store: Processes Android in-app purchases RevenueCat: Manages subscription status
We do NOT store your payment information (credit cards, billing details, etc.). All payment processing is handled directly by Apple, Google, or their authorized processors.
10. Cookies and Tracking
10.1 What We Use
Local Storage: To save your settings and preferences on your device
Authentication Tokens: To keep you logged in securely
Analytics Cookies (with consent): To understand how features are used (anonymized)
10.2 What We Don't Use
We do NOT use:
Advertising cookies
Cross-site tracking
Third-party advertising networks
Tracking pixels for marketing
10.3 Your Control
You can manage cookie preferences in Settings → Privacy. Note that disabling certain cookies may affect app functionality.
11. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.
How we notify you of significant changes:
In-app notification with summary of changes
Email notification to registered users at least 30 days before changes take effect
Updated "Last Updated" date at the top of this policy
What constitutes a significant change:
Changes to data collection practices
New data sharing arrangements
Changes to your rights or how to exercise them
Material changes to data retention or security
Your options:
Review changes and continue using Sprout (constitutes acceptance)
Contact us with questions or concerns
Exercise your right to delete your account if you disagree with changes
For non-significant changes: We will update the policy and date without advance notice.
12. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy: